Cyneriohttps://cynerio.co
Securing the Internet of Medical ThingsFri, 15 Feb 2019 10:17:45 +0000en-UShourly1https://cynerio.co/wp-content/uploads/2018/10/Favicon.pngCyneriohttps://cynerio.co
3232Cynerio Secures $7 Million Seed Round Funding to Drive US Market Developmenthttps://cynerio.co/cynerio-secures-7-million-seed-round-funding-to-drive-us-market-development/
Wed, 09 Jan 2019 14:51:00 +0000https://cynerio.co/?p=597New York, January 9, 2019 – Cynerio
today announced the completion of its $7 million funding
round to fuel growth in North America for its 100% healthcare focused cyber
security platform. Investors include global VCs, Accelmed,
a leading investment firm focused on value creation for medical device
companies and technologies, RDC (a joint venture between Elron and Rafael),
which invests in exceptional medical device and cybersecurity companies and MTIP,
a leading venture capital firm who is an expert in digital health.

“Cynerio is committed to protecting the future
of healthcare by focusing on its weakest link – the connected medical devices
and Internet of Medical Things (IoMT). We are delivering a tailor-made, healthcare
driven solution for providers to ensure patient safety and data protection
while maintaining operational continuity,” explained Leon Lerman, Cynerio CEO.

Cynerio was founded by cybersecurity experts Leon
Lerman and Daniel Brodie, CTO, to deliver a cybersecurity solution that is 100%
designed for healthcare providers, based on the industry’s first technology
that thoroughly analyzes the medical workflows in the IoMT ecosystem, to
automatically discover all the entities on the network, provide an ongoing
healthcare specific risk analysis, accurately detect anomalies and stop threats
to prevent service disruption, data theft and compliance violations.

“The
security of connected devices is an issue that continues to plague the hospital
ecosystem. I am delighted to work with Cynerio, on what I see to be one of the
biggest cybersecurity challenges we currently face,“ added Dr. John Halamka.

“The
US healthcare market is woefully underserved by the security industry.
Hospitals deserve cybersecurity solutions tailored to their needs, and this is
where Cynerio can make a big difference with their technology that is not just
identifying the shape of traffic between devices, but also the medical context of
information. I think their technology is very innovative and effective which is
why I have become an adviser to Cynerio,” said Amichai Shulman, Cynerio adviser.

Hospitals require a security solution that
will protect their systems without being intrusive or aggressive. Cynerio
delivers complete visibility into a healthcare organization’s IoMT ecosystem,
protecting it from cyber threats and helping the organization meet HIPAA
regulatory requirements.

]]>Medical device risk mitigation is perhaps the most pressing issue for healthcare CIOshttps://cynerio.co/medical-device-risk-mitigation-is-perhaps-the-most-pressing-issue-for-healthcare-cios/
Tue, 16 Oct 2018 07:05:49 +0000https://cynerio.co/?p=544Hackers see hospitals as treasure troves; they hold our most sensitive data, including medical records, financial information, and pretty much every piece of personal data which makes us distinguishable as an individual (think full name, date of birth, SSN’s and financial info)- more or less all the information which allows a cybercriminal to open up numerous credit cards, and commit fraud. Not only this, but if criminals do manage to break into hospital systems, they have the ability to manipulate data which could cause large scale service disruption- and in the very worst-case scenario, could pose a serious threat to patient safety. With the numbers of connected devices in the hospital ecosystem increasing constantly, security is often called into question. As Harvard’s International Healthcare Innovation Professor, I have seen this first hand, and it has become a worldwide issue.

Every day we see breaches making headlines- from big companies and email providers to banks and healthcare insurance providers. However, it tends to be forgotten that there are holes within the medical ecosystem that must be plugged to avoid breaches of this kind, too. Everything from I.V. pumps to X-Ray machines are computer operated and, as with most medical devices in today’s society, are connected to the internet in some way. Breaches of patient information could be catastrophic; just last year, WannaCry crippled NHS computer systems in the UK. Whilst systems were held to ransom, surgeries were cancelled, and urgent care was severely delayed. By getting their hands on data of this kind, hackers could not only go onto commit identity and financial fraud, but in some cases, use the information they have stolen to blackmail victims. Medical data is unique in a way in which it cannot be redacted- it can lead to reputational damage, and can cause the individual victim significant harm. Not only this, but hackers could also go on to manipulate the data to make it untrustworthy, something which could result in poor hospital care. Essentially, hospitals do not only have to worry about data theft, but also data corruption, which could result in large scale disruption of services.

As connected medical devices often do not have security ‘built in’ per say, I believe that risk mitigation of medical devices connected to hospital networks is perhaps the most pressing issue for healthcare CIOs around the world. The risk mitigation is, of course, not only the responsibility of the CIO and more and more, we are seeing cybersecurity being treated as a board level issue; thus, it is the CEO, the COO, the CFO, the CIO- the whole executive suite- working together to reduce cybersecurity risks. Movement in this direction is positive, and if there are hospitals that still think it’s an “IT problem” – they should be concerned, as it’s very challenging to implement change and IT driven initiatives are rarely successful. Boards must not attempt to wait the challenge out and end up with a huge cyber incident on their hands before waking up, and engaging in cybersecurity.

When you look at any risk heat map, the map across healthcare consistently points out IoT connected devices as the most, if not one of the top 10, persistent risks. As a CIO myself, I wanted to be a part of solving this problem. I was fortunate enough to visit Israel in late 2017 with a delegation led by Charlie Baker, the governor of Massachusetts, with the aim of improving relationships between Massachusetts and Israel, specifically focusing on digital health innovation and cybersecurity. I have always appreciated the sophistication of cyber security companies in Israel; the 8200 produces some of the world’s best cybersecurity experts, who found groundbreaking, innovative start-up companies. Having the opportunity to work with an Israeli cybersecurity start-up is clearly an attractive prospect, and Cynerio’s team demonstrated it has the right qualities to address important issues by combining expertise in cybersecurity, medical devices, machine learning and healthcare workflow. Cynerio’s technology detects anomalies affecting connected medical devices using machine learning. It has studied millions of transactions, and can detect variations with a high positive predictive value. By combining device behavior learning with medical workflow analysis, their technology provides visibility into activity on the network, detecting anomalies and threats to patient safety and data protection.

John D. Halamka, MD, MS, is Chief Information Officer of Beth Israel Deaconess Medical Center, Chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, a full Professor at Harvard Medical School, and a practicing Emergency Physician.

TEL AVIV, October 15, 2018 – Cynerio today announced that Dr. John Halamka, Harvard’s International Healthcare Innovation Professor, has joined the company in an advisory position to help them address the growing problem of securing connected medical devices & healthcare IoT in the hospital ecosystem.

Dr. Halamka is one of the world’s leading CIOs working in the healthcare sector, and he has held CIO roles at both Harvard Medical School and Beth Israel Deaconess Medical Center. He is also a medical doctor, having worked previously as an emergency physician. This experience will allow him to bring invaluable insight of the “on the ground” issues hospitals currently face, day to day.

Speaking of his new role, Halamka said, “I am excited to join Cynerio at such an exciting stage of their journey. As Harvard’s International Healthcare Innovation Professor, I travel the world and I see that medical device security is a worldwide issue, because connected devices are vulnerable. It’s a worldwide issue because cybersecurity in hospitals is not sophisticated enough. There is a building sense of urgency to plug the holes you have and especially in hospitals’ I.V. pumps, EKG machines and X-ray machines, which you don’t even think about as computers, but these days pretty much every medical device has network connectivity and needs to be secured.”

“The security of connected devices is an issue that continues to plague the hospital ecosystem. I am delighted to join Cynerio in an advisory position, to begin working towards finding a solution to what I see to be one of the biggest cybersecurity challenges we currently face,” Halamka added.

“We are thrilled to welcome John to the Cynerio team. His insight and knowledge of the industry, and this element of security, will help us ensure that Cynerio are able to monitor and secure the myriad of devices that are found in a healthcare facility using an approach that harnesses the power of machine learning,” said Cynerio CEO and Founder Leon Lerman.

About Cynerio

Cynerio is a leading provider of medical device and healthcare IoT security solutions. Built on healthcare-driven behavior analysis, Cynerio’s technology provides ongoing visibility into all clinical entities on the network, continuously assesses the risk associated to their behaviour, accurately detects anomalies with medical context consideration and stops malicious threats to ensure patient safety and data protection.

Healthcare organizations face new cybersecurity challenges as the rising number of cyber-attacks impact services and put patient safety at risk. Connected medical and IoT devices that were not designed with security in mind, serve as easy gateways for malware and cyber-attackers to infiltrate hospital systems. The integration of Cynerio’s healthcare-driven behavior analysis platform with the Cisco Identity Services Engine makes it easier to accurately pinpoint the weak spots in the medical device network ecosystem and to provide protection without interfering with clinical workflows.

Cisco’s Identity Services Engine (ISE) is a next-generation network access system that simplifies identity management across diverse networks. Cisco ISE provides rich user and device details making it possible to create and enforce network access policies for the endpoints and reduce the cyber-risk.

Cynerio is a leading provider of medical device and IoT security solutions. Built on healthcare-driven behavior analysis, Cynerio’s technology provides enhanced visibility into the clinical entities and associated risk of connected device network behavior. By communicating through Cisco’s Platform Exchange Grid, pxGrid, Cynerio has developed interoperability with the Cisco Identity Services Engine, making it easier and safer for ISE users to enforce secure access policies for their medical devices.

Cisco – Cynerio Integrated Solution

Each connected medical device plays a specific role in the clinical network ecosystem. Understanding the functionality and behavior of the device is necessary for effectively assessing and addressing the cyber risks. Cynerio’s healthcare-driven behavior analysis platform enriches Cisco ISE with intelligence about each connected device. Combining Cisco ISE with Cynerio provides healthcare CISOs with a clear understanding of the risk type and priority for each connected device. The integrated solution enables security teams to enforce access policies that ensure normal clinical communication flows while blocking potentially malicious communications.

With the Cisco-Cynerio integrated solution, users gain the following benefits for their medical device ecosystem security:

Continuous discovery and classification of connected medical and IoT devices

Visibility into the associated risk for each connected device with clinical context

Protection against cyber-attacks without interfering with clinical workflows

The number of patient medical record breaches reported due to hacking or unauthorized access events has been climbing over the past years.

There are several factors that could help explain this continued growth.

1. Healthcare hacking is getting easier

Digital transformation in healthcare is moving forward but security is lagging behind. Hospital systems with outdated, unpatched devices are connected to the Internet, increasing their likelihood of getting infected with malware. Infected medical devices allow hackers to exploit vulnerabilities and gain access to hospital systems. Once they find a foothold, hackers can offer “hacking-as-a-service” to fraudsters who are interested in exploiting healthcare systems but lack the technical hacking skills.

2. Cyber-attacks are becoming more advanced

Cybercrime organizations operate like any other technology company and they are continuously developing more advanced hacking tools. In their research, the TrapX Security Labs division described medical devices in hospitals that were found to be infected with an advanced attack flow that they call MEDJACK (medical hijack), that creates a pivot point for hackers to access hospital systems. They reported that attackers had used sophisticated attack techniques that could enable extraction of sensitive patient information without getting detected.

3. Medical records are more valuable for fraudsters

Stolen medical records tend to have a higher value on the black market than stolen credit card information. Cynerio’s researchers follow dark web activity related to hacking of medical devices using Sixgill’s dark web monitoring technology. Here is an example of a vendor charging double the price for personal information when it includes medical ID.

What to fraudsters do with stolen medical records?

One of the most common forms of fraud is credit card or banking fraud where the medical records are used in combination with other personal information to make fraudulent transactions. But the more interesting frauds are those related to health-insurance and taxes. This is also where information specific to medical records comes in handy. In this case the fraudster would need as much background information on the victims as possible, and medical records usually include rich background information. Our research team recently found a vendor selling kids’ social security numbers and dates of birth (known on the dark web as “fullz”), that were hacked from pediatrician’s databases. The same vendor has just released a new batch of children’s “fullz”. The proximity of this new batch to the previous one is a good indicator that this is a strong demand for fresh information stolen from medical databases.

One of the reasons fraudsters are interested in social security numbers belonging to children and teens could be that these are individuals that have a perfect credit records giving the fraudsters a better chance of successfully applying for credit or loans using this fake ID. Another reason that they are interested in kids’ information could be related to tax fraud. The vendor below mentions that “TAX fraudsters knows the benefits of having childs in the tax records when filing”.

Besides financial fraud, criminals also use stolen medical information for illegally acquiring medical supplies and services. One of the dark web vendors our researchers found explains to potential customers how they can use the medical ID that he or she is selling to get prescribed drugs delivered to them, to order medication, and even to book a doctor’s appointment for a check-up.

Another strange and troubling phenomenon on the dark web is hackers selling medical records of people who have passed away. Cynerio’s research team recently found a post from a vendor on the dark web offering a huge amount of medical records. In this post, the vendor mentions that 60,000 of the records include the death date.

It may come as a surprise to think that fraudsters would be interested in purchasing medical records of patients that are already deceased, but there is a reason for this. A victim who finds out their personal information was used fraudulently will immediately report the incident. But if the person whose identity is used for the fraud is deceased, it may not go noticed for a very long time.

Healthcare organizations that collect, store and transfer medical records should be aware of the growing demand for stolen medical records and of the advances in the threat landscape. It is increasingly important to educate employees about cybersecurity and to develop advanced defenses, especially for older, more vulnerable medical systems.

Cynerio’s mission is to help healthcare organizations protect the confidentiality, integrity and availability of their medical device data and services. Our non-intrusive, network-based platform detects and analyzes threats, and provides prioritized actionable alerts enabling faster and more effective response to cyber-attacks, untargeted threats, and human errors.

Schedule a live demonstration of Cynerio's solution to see how it fits your needs.

One of the many troubling trends in dark web black markets is the buying and selling of PHI – protected health information. This is data illegally retrieved from hospitals, clinics and other healthcare institutions by hackers who take advantage of weaknesses in their cyber-security. PHI typically includes social security numbers, dates of birth, names of relatives, medical procedures and results, and in some cases billing and financial information or background information such as criminal records.

What hackers do with the protected health information

PHI is typically sold in bundles that cyber-criminals call “fullz”. Fullz are records of structured personal information that can later be used for various kinds of fraud and extortion such as banking and credit fraud, healthcare fraud, identity theft and ransom extortion. In some cases, fraudsters are interested in buying specific medical records as in the following case.

Cynerio’s researchers follow dark web activity related to hacking of medical devices, using Sixgill’s dark web monitoring technology. While posts about exploitation of medical information systems and stolen patient information are quite common, we are still sometimes surprised by certain alarming posts, like the following one.

This is a dark web market vendor selling fullz acquired from pediatricians’ databases to fraudsters who might be interested. The wording used to advertise this package is particularly disturbing – “the kids are born 2000+ and generally speaking come from good families that can provide medical support.“ It appears evident from this description that the stolen information may be used for extortion.

The vendor also links to his “cashout” guide. Cashout guides are commonly offered by vendors who sell “fullz to help the buyers understand how to make money out of this kind of data.

Based on deployments of Cynerio’s cyber-security solution in hospitals, we’ve seen that children’s PHI’s can be more than 10% of total PHIs, and their data is often transmitted over the network unencrypted and unprotected, and stored in medical servers that aren’t sufficiently cyber-protected.

Sadly, there’s a very high probability that we’ll continue seeing offers of this nature.

Hacking-as-a-Service

Selling stolen health information is only one of the things hackers do on the dark web. Our researchers came a across and interesting post from a vendor offering SMTP servers to interested clients (e.g. spammers, phishing campaigners, malware distributors etc.). What caught our eye was the end of the message in which the vendor mentions that ‘if you want Hospital server just leave us a note “I want hospital server”’. This is interesting because it could be for clients who are interested in sending malicious emails from a hospital domain because they are planning a spear phishing campaign against healthcare targets. It also shows that the vendor has remote code execution access to computers within hospital networks.

Why is this happening?

The fact that healthcare providers’ databases can be hacked, dumped and sold to the highest bidder (with the lowest morals), is quite troubling. Healthcare systems store some of the most sensitive and private information about us, and this information is exposed to a wide range of cyber-attacks on a huge attack surface, stretching from servers that store patient data in bulk, through nursing-station desktops, to a variety of connected medical devices. Most of these clinical systems are poorly patched and communicate through unsecure channels. Hackers take advantage of this to get hold of our most sensitive information.

Putting those two facts together – the ubiquity of PHI in healthcare systems, and ease of infiltration and exploitation – it should come as no surprise that healthcare hacking events have been continuously increasing over the past years.

Today, it’s more important than ever for healthcare security leaders to have increased visibility of their clinical systems, and how they handle PHI, in order to ensure patient data protection.

Cynerio’s mission is to help healthcare organizations protect the confidentiality, integrity and availability of their medical device data and services. Our non-intrusive, network-based platform detects and analyzes threats, and provides prioritized actionable alerts enabling faster and more effective response to cyber-attacks, untargeted threats, and human errors.

Schedule a live demonstration of Cynerio's solution to see how it fits your needs.

A series of 23 worrisome vulnerabilities in popular GE medical devices has recently been listed in an advisory by ICS-CERT – the US government agency in charge of the cybersecurity posture of critical infrastructure in the US.

The affected devices include many imaging systems as well as GE’s Centricity PACS Server – which is a core access point to sensitive medical information such as personal patient information and medical imaging data, used by many hospitals and healthcare organizations worldwide.

The vulnerabilities are very simple in essence – the vulnerable systems expose a remote access interface with default passwords (which hackers can look up online).

To make things worse the vulnerabilities are classified “network exploitable” – which means they can potentially be remotely exploitable by unsophisticated attackers who don’t need to be on, or even have access to, the hospital network they’re attacking in order to execute malicious activity and steal highly sensitive data.

These vulnerabilities belong to a category of security weaknesses called “credentials management,” and there are a few key factors to understanding these vulnerabilities and classify them by severity.

Passwords – hardcoded / default

In a default password scenario a system creates some kind of default user(s) with a default authentication password – and while it is technically possible to override these credentials, as long as this is not enforced by the system, a lot of systems remain configured with the preexisting user-password and are hence exploitable by an attacker who knows these default credentials.

Manufacturer manuals will typically instruct to override the default credentials, but according to some reports vendors are telling operators that if they change the default passwords (and thereby disrupt maintenance by their technicians) they will revoke the device’s warranty.

In a hardcoded password scenario things might get even worse – these are systems that create a user-password credentials pair that cannot be overridden and therefore might impose an unamendable threat to the system. In more complex situations the credentials are actually possible to delete, but other interdependent systems are making assumptions about the existence of the hardcoded user so interoperability might be damaged.

Mitigations and ease of exploitation

The common use case to exploiting these vulnerabilities would be the network-adjacent attack vector – in which the attacker is placed within the perimeter of the hospital network and leverages known credentials in order to take over machines within this network.

The situations is much worse when the interface to connect to the system in question is remote – meaning it’s possible to connect and authenticate from the internet and potentially compromise the system. From reasons related to patient safety the disclosure of these vulnerabilities doesn’t include all the information needed to understand how to gain access to the devices, but since the vulnerabilities were classified as “network exploitable” and not “adjacent network exploitable” we can assume that if a device was not properly configured, which based on our field experience is not uncommon, an attacker will be able to communicate with these devices from the internet.

Another very important mitigation is usage of specific encryption keys that are delivered with the devices and are unique per-site. This will avoid systems from communicating with a malicious attacker even if he has the known-credentials. For example, It seems like in the case of GE’s Centricity workstation component – that exposes a TimbuktuPro service (a remote access tool) with default credentials, according to GE’s manual the behavior is mitigated by using site-keys delivered by the vendor. Which means possessing the right credentials will not be enough for malicious actors trying to take over the device remotely as they’re lacking the encryption keys.

While many of the vulnerabilities in the advisory are known for a couple of years now, it is amazing to see that there are still more of these coming as the advisory includes four newer vulnerabilities (2017), that are still not fully disclosed. Cynerio has discovered these default passwords still being used in health organizations. This brings to mind the overwhelming challenge of keeping medical entities up-to-date security-wise whilst not interrupting with their everyday operations.

According to statistics pulled from Shodan – the IoT search engine – there are currently 1,508 active internet-facing machines that communicate healthcare information (DICOM) – 510 of which in the US.

Hackers are becoming increasingly interested in gaining access to PHI – personal health information and selling it in dark-web markets to the highest bidder.

And healthcare providers must ramp up their security posture so that they stop being a cost-efficient target for attackers.

What should hospitals do?

Healthcare facilities’ network administrators should work in coordination with their medical-devices vendors to make sure they have the latest security patches installed

Default credentials should be changed to more secure site-credentials while making sure device functionality and interoperability are not hindered

Security professionals in healthcare should put in place controls that will enable full visibility of the medical entities on the network, making it possible to understand their behavior and trace and mitigate anomalies and vulnerabilities in real-time, you cannot defend what you cannot see

By understanding the actual deployment of medical devices, and devices containing personal patient information, security professionals can apply defense-in-depth principles, leaving medical entities unexposed to the internet – and only allow internet communications to medical devices through secure VPN tunnels and according to necessity.

Rambam Health Care Campus commonly known as Rambam Hospital, is piloting Cynerio’s cutting edge cybersecurity technology to protect its medical device ecosystem from cyber threats. In addition to being one of the most innovative in terms of adopting new medical technology to treat patients so that they have the most successful treatment possible, Rambam Hospital is now working with Cynerio to protect the data and safety of its patients.

Sara Tzafrir, CIO of Rambam Hospital, said, “Our hospital is one of the most innovative in adopting new medical technologies to make sure that our patients have the most successful treatment possible. The latest medical treatment relies on a myriad of devices to deliver the highest levels of care and best outcomes for our patients. We have a growing number of smart and connected medical devices that come with new risks to the clinical ecosystem that need to be addressed. We already work closely with all the best technology firms in Israel to secure our hospital and patients, yet we knew that there was still more to be done to secure our medical devices and we would need something innovative to meet the potential risks. Not only were we looking for proactive security and real-time protection for the service and data on our connected medical devices, we also wanted to gain full visibility into our medical device ecosystem and the associated risk. After a lot of careful considerations, we decided to pilot Cynerio’s technology.”

Cynerio’s ground-breaking technology was developed for the specialized needs of the healthcare industry, securing healthcare’s weakest link – the connected medical device ecosystem – by providing:

Rambam Hospital is the largest in Northern Israel and the only provider of Level-1 trauma medicine, with more than two million people depending on it for medical care and public health information, and also serves as the tertiary referral center for twelve district hospitals. Rambam is not only the referral hospital for the Israel Defense Forces (IDF) Northern Command, it also takes care of the US Navy Sixth Fleet, and the UN Peacekeeping Forces posted in the region. Rambam treats more trauma patients than any other hospital in the Israel, and the percentage of trauma survivors is the highest in the country.

Eyal Kellner, CTO of Rambam Hospital, said, “The hospital generates an incredible amount of sensitive data each year as a result of approximately 135,000 emergency department visits; 91,025 inpatient admissions; 687,750 outpatient visits; 55,350 surgeries; 267,975 imaging procedures; and more than 1,473,780 laboratory procedures. The hospital became aware that there is a large and growing number of connected medical devices in its ecosystem which could become vulnerable to cyberattacks, which was a concern due to the sensitive and valuable patient data it handles. Most of the devices used in healthcare’s clinical environment are outside the scope and capability of traditional IT security technologies, which elevated the issue to a critical threat. The hospital sought a technology that could show what’s happening in the medical device ecosystem, how many devices could be affected and also help to protect them, and is now working with Cynerio to protect our medical ecosystem. Cynerio’s medical workflow analysis technology uses machine learning to precisely model the behavior of the medical entities on the network, taking into account the medical workflows they are taking part in, providing very accurate anomaly detection that also takes medical context consideration.”

At Cynerio we know that protecting medical devices is important but it’s just part of the challenge. There is an entire ecosystem supporting these devices which includes gateways such as medical imaging picture archiving and communication systems (PACS), nurses stations, clinical servers, DICOM printers and middleware, that is also vulnerable and needs protection. It’s key to understand the ecosystem and the behaviour of the medical devices to provide a comprehensive solution.

We are already working with healthcare providers, deployed in leading hospitals in Israel like Rambam, and are now starting pilots in large US health systems.